Protect

SEC-LABS R&D > Protect

Controlling Auto Forward Rules of Emails to avoid data leakage

2018-06-18 0 Comments

Email Forwarding is a challenge when it comes to modern attacks, and it was recently used as one of the tools in a crimecase in Sweden. Basically the attackers forwarded all emails from the victims to themselves to be able to track the victims very easily and to gain insights and data for social engineering attacks. Multifactor auth via e-mail or password reset links where obtained and could easly be used to manipulate and gain access.

Email forwarding can be created in Outlook or the the web application (OWA) by the users or an attacker with access to a user account.

The solution for this is very easy.
You can block email forwarding and redirects in general and allow it where it’s necessary (if you do have that scenario).

Block autoforward domain wide for Office 365 using PowerShell:

Set-RemoteDomain Default -AutoForwardEnabled $false

It is possible to configure this on a per domain basis.
For instance, if you need to allow forward to specific domain.

To view all forwarding rules today both on-prem and cloud you can use the following script.
The only difference is the connection part.

View the Rules

Function Get-AutoForwardRules
{
foreach ($a in (Get-Mailbox -ResultSize Unlimited |select PrimarySMTPAddress))
{
Get-InboxRule -Mailbox $a.PrimarySMTPAddress |
?{($_.ForwardTo -ne $null) -or ($_.ForwardAsAttachmentTo -ne $null) -or ($_.DeleteMessage -eq $true) -or ($_.RedirectTo -ne $null)} |
select Name,Identity,ForwardTo,ForwardAsAttachmentTo, RedirectTo, DeleteMessage
}
}

#Example

Get-AutoForwardRules

To get the PowerShell module for office 365 which supports MFA.

Download the PowerShell Module (available in the 365 admin portal)

Connect using: Connect-EXOPSSession -UserPrincipalName user@example.com

Security Features in Office 365

Depending on your Office 365 Subscription you might get a warning email when someone tries to define a forwarding rule

 

This is an example for Exchange Online

$Mailboxes = Get-Mailbox -ResultSize "Unlimited"
$Count = 1
ForEach ($Mailbox in $Mailboxes)
{
Write-Progress -Activity "Checking inboxrules..." -Status "User $($Mailbox.PrimarySmtpAddress) ($count/$($Mailboxes.count))" -PercentComplete ($Count / $Mailboxes.count*100)
$MailboxWithRule = Get-InboxRule -Mailbox $Mailbox.Alias | Where-Object {($_.RedirectTo -ne $null) -and ($_.ForwardTo -ne $null) -and ($_.ForwardAsAttachmentTo -ne $null)}
if ($MailboxWithRule -ne $Null) {
Write-Host "Mailbox $($Mailbox.PrimarySmtpAddress) has these rulez:" $MailboxWithRule |
fl Name, Identity, RedirectTo, ForwardTo, ForwardAsAttachmentTo
}
$count++
}

Detect, Protect

, , ,

Updates to Attack Surface Reduction Rules in Windows 10 1803

2018-05-16 0 Comments

5 new rules are being introduced with Windows 10 1803

  • Block executable files from running unless they meet a prevalence, age, or trusted list criteria
  • Use advanced protection against ransomware
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block process creations originating from PSExec and WMI commands
  • Block untrusted and unsigned processes that run from USB

 

Complete Rules list with GUIDs

Rule name GUID
Block executable content from email client and webmail BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block executable files from running unless they meet a prevalence, age, or trusted list criteria 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

 

Details about the rules can be found here:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard

 

Protect

, ,

TechDays Sweden – Take care of your clients, you don’t WannaCry

2017-06-07 0 Comments

In October SEC-LABS R&D Crew will be presenting at the Swedish Premier Microsoft IT Event TechDays. We will be talking about how to Secure your Windows clients, we are going to walk you through the Microsoft security stack you can use to protect your Windows client with. We will be focusing not only on Windows 10 but other solutions and practices you can leverage to build a more secure client environment.

http://tdswe.se/events/take-care-of-your-clients-you-dont-wannacry/ 

We hope to see you there / Stefan and Mattias

We have embedded a video from last years event below (Swedish)

Detect, Events, Protect, Respond

Massive ransomware campaign hits victims in at least 74 countries

2017-05-12 0 Comments

Today reports was flooding the internet about an large scale ransomware campaign.

*** Update 2017-05-13 : Microsoft has put together a detailed post about the matter now since they have gotten the time to reverse the malware. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems
Microsoft has also released updates for Windows XP and 2003 Server that you can apply for the MS17-010 SMB Vulnerability KB4012598 http://www.catalog.update.microsoft.com/search.aspx?q=4012598

***

–his time the attack had a massive impact on the society – according to reports multiple hospitals was taken out of business in the UK with local files and network files encrypted.

The following picture from MalwareTech showing the infections which has an extreme hitrate

 

WannaCry infections (pic from malwaretech)

It’s using the NSA exploit leaked by Shadow Brokers (EternalBlue which uses a vulnerability in the SMB Protocol to spread.

This means that unpatched systems are spreading this ransomware internal on the network.

Initial infection is still not clear but most likley it’s a phishing campaing and we can’t really point out how important Security Awareness training is for your end users.

Mitigations (for this specific campaign)

  • Patching
  • Office 365 ATP (Advanced Threat Protection)

    • Office 365 ATP

    • Protecting against unsafe attachments
      all suspicious content goes through a real-time behavioral malware analysis that uses machne learning to evaluate the content for suspicious activities.
      unsafe attachments are sandboxed in a detonation chamber before being sent to recipients
      Protect your environment when users click malicious links.
      The URL s are examined in real time when a user clicks them.

    • Office 365 ATP URL SCAN

      One benefit is the reporting to so administrators can track which users clicked a link

    • For further information about Office 365 ATP please visit https://products.office.com/en-us/exchange/online-email-threat-protection
  • Security Awareness
    • Most likley this started by an email (well multiple emails) but I assume someone clicked on a link named invoice or something else
      Security awareness still very common to be overseen by secyurity teams and IT departments in general
      We can’t simple protect against every bad thing by technical means and we need to raise the awareness for the end users.
      Make sure to kick off a Security awareness program, This could be seminars, intranet information.
  • Segmentation
    • Make sure you have network segmentation to avoid spreading
    • Use a Local Firewall to block traffic usually there is no need to have SMB open against clients
  • Access to critical assets
    • Separation of duties
    • Users should only have access to what they need
    • Don’t set up a share where all users can read and write files from all departments
  • Windows 10 Device guard
    • Blocking untrusted code from executing. I bet this code wasn’t signed by a trusted certificate authority

Detect, News, Protect

, , , ,

CVE-2017-0290 – RCE in The Microsoft Malware Protection Engine

2017-05-11 0 Comments

Last Friday, Tavis Ormandy and Natalie Silvanovich reported that they had discovered “the worst Windows remote code exec in recent memory”.

The vulnerability was reported to Microsoft who released an advisory: https://technet.microsoft.com/library/security/4022344.aspx

The good thing, no action is requred by the Enterprise administrators if default configuration to automatic upate definitions and the Malware Protection Engine are kept up to date.

Otherwise, patch now!

From the advisory:

Why is no action required to install this update?
In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner.

For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating.

CVE ID Vulnerability Title Exploitability Assessment for
Latest Software Release		 Exploitability Assessment for
Older Software Release		 Denial of Service
Exploitability Assessment
CVE-2017-0290 Scripting Engine Memory Corruption Vulnerability 2 – Exploitation Less Likely 2 – Exploitation Less Likely Not applicable

 

To exploit this vulnerability a special crafted file has to be scanned by the system. The file can be delivered in numerous ways – Via WEB, attachment etc.

The real-time scan will automatically scan the files and this funtionality is nothing you should disable.
The real-time scan runs on file shares so this vulernability doesn not only apply on clients

Affected products

Antimalware Software Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290
Microsoft Forefront Endpoint Protection 2010 Critical
Remote Code Execution
Microsoft Endpoint Protection Critical
Remote Code Execution
Microsoft Forefront Security for SharePoint Service Pack 3 Critical
Remote Code Execution
Microsoft System Center Endpoint Protection Critical
Remote Code Execution
Microsoft Security Essentials Critical
Remote Code Execution
Windows Defender for Windows 7 Critical
Remote Code Execution
Windows Defender for Windows 8.1 Critical
Remote Code Execution
Windows Defender for Windows RT 8.1 Critical
Remote Code Execution
Windows Defender for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703 Critical
Remote Code Execution
Windows Intune Endpoint Protection Critical
Remote Code Execution

 

Actions:

  • Verify that the update is installed
  • If necessary, install the update

For further information:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

 

 

 

News, Protect

, ,

Security Best Practice for Active Directory

2017-05-10 0 Comments

Securing active directory is really important.

We still see help desk staff being added to Domain Admins group, Admins are elevating to their DA account to run powershell, RSAT etc on their device which they also use to download software, browse the internet and basically everything they do on day to day basis.

Domain Admins in the past was the easy way to managing almost everything. Exchange, Users, Systems running on member servers, Servers (I’ve even seen domain controllers), Service accounts have been added to Domain Admins group. The simple reason for this was “It just works and it’s easy” or the worst phrase “We have always done it this way”.

Compromised credentials on servers or computers used for day to day administrative tasks is a common way to get the keys to the kingdom and the high value assests every company tries to hard to protect.

 

If you have the time and want to provide proper AD security for your environment there is a Best Practice Guide to Secure Active Directory.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

Protect

,